Blackhawk Network Privacy Policy

Last Updated: March 1, 2019

Introduction and Scope of Practices.

Blackhawk Network Holdings, Inc. and its affiliates (“Blackhawk,” “we,” “us,” or “our”) care about your
personal information. This Privacy Policy (“Policy”) describes how we, use this data, disclose the personal
information (which includes “personal data” as defined under applicable EU and other data protection laws)
we
collect about you, and the rights you have regarding such data. This Policy applies to the personal
information
Blackhawk collects about users of our websites (including www.blackhawknetwork.com),
mobile applications, and
the services and features therein (together the “Sites”), as well as the data we collect in providing our
services (the “Services”) and when individuals communicate with us about our Sites and Services, whether in
person, by telephone, by mail, or other means. When we act as a data processor on behalf of another
controller,
we collect, use, and disclose certain personal information only under the controller’s instruction, and our
processing of your personal information is subject to their instructions and privacy policies.

Please note that links to third-party websites are subject to the third-parties’ privacy policies and terms
of
use, not ours, unless you are told otherwise. Also, some of Blackhawk’s Services are offered through
third-parties, such as banks or other financial institutions. In those cases, the third-parties’ policies
will
govern their use of the personal information they process about their customers.

Personal Information We Collect

We collect personal information directly from you, through third parties, or automatically through our
Sites
and related to our Services, subject to applicable laws as set out below. Where the personal information we
collect is needed to comply with law, or to enter into or perform an agreement with you, we will inform you
at
the time of such data collection. If we cannot collect this data, we may be unable to on-board you as a
client
or provide products or services to you.

Personal Information We Collect Directly from You:

Payment and financial information, such as credit or other payment card information, bank
account,
or billing address;

Shipping address and related details;

Your resume, employment and education history, name and contact details, background details,
and
references when you apply to job postings or contact us about employment opportunities;

Company and employment information;

Subject to applicable local law restrictions, Social Security Number or other national tax ID
number (for clients and potential clients)

Unique identifiers such as user name, account number, or password;

Preference information such as product wish lists, order history, or marketing preferences;

Information about your business such as company name, size, or business type; and

Demographic information, such as age, gender, interests and ZIP or postal code.

Comments, Posts and Submissions.

When you submit online forms, participate in surveys, contests,
promotions, or sweepstakes, join online chat discussions or post on a blog, request customer support,
or
submit testimonials, we collect your personal information, such as contact information, and other
information you choose to share. Some of our Sites offer publicly accessible blogs. Any information you
provide in these areas may be read, collected, and used by others who access them.

Testimonials.

With your consent, we may use your testimonial and your name, e.g. to display personal
testimonials of satisfied customers on certain Sites and in print advertisements.

Location.

On some Sites we collect geolocation-based information for fraud prevention purposes. With
your consent, we may also collect your precise location-based information for purposes such as to help
you
locate a store offering our products and services in your area. You may withdraw your consent to the
processing of location-based information at any time by changing the settings on your device. If you
do,
you might not be able to use certain features, especially when we use location-based information to
prevent
fraud.

Personal Information We Collect from Third-Parties.

Sometimes, we may collect personal information
from third-party sources. For example, subject to applicable law, we may confirm your address with the
postal service or we may receive personal information about you from our clients who use our Services.
Similarly, if our users choose to send a gift to their friend through our Sites, we will ask for the
friend’s name and contact details.

Certain websites also may offer a referral service where users may refer other people they know to our
Services, subject to restrictions under applicable local laws. If you choose to use our referral service to
tell your friends about our Services, we will provide you with a referral code and signup instructions that
you
can share with your friends. Where permitted by local law, we conduct such referrals on an opt-out basis.
If
personal information about you has been provided to us and you want us to delete it, you may email us at
privacy@bhnetwork.com.

Personal Information We Collect Automatically.

We and our service providers automatically gather
information
about your use of the Sites and Services through cookies, web beacons, java script, log files, pixels, and
other technologies, which include: your domain name, browser type, browser language preference, device type
and
operating system, page views and links you click within the Sites, IP address, device ID or other
identifier,
location information, date and time stamp, and time spent using the Services, referring URL, your activity
within the Sites, and device geolocation information (where permitted by your device settings).

We also collect information from analytic services, including Google Analytics, to compile and analyze
information derived from the use of our Services, such as aggregate usage patterns, user preferences, peak
demand times, preferred content and other information.

See the “Cookies and Online Tracking” section below for details.

Use of Your Personal Information and Legal Bases

We may use the personal information we collect for the following purposes:

Customer Service and Support: To send you important information, such as changes to terms,
conditions,
and
policies and/or other administrative information;

Personalization: To personalize your experience on a Site or using the Services, such as by
tailoring
the
content
we send or display to you in order to personalize help and instructions, and to otherwise personalize
your
experience using the Services;

Marketing and Promotions: To send you marketing communications you have signed up for;

Advertising and Referrals: To assist in advertising the Services on third-party websites and to
track
referrals
from partner websites;

Analytics and Improvement: To better understand how users access and use the Services, and for other
research and
analytical purposes, such as to evaluate and improve the Services;

Verify Identity and Detect Fraud: To verify your identity and/or location in order to allow access
to
your
accounts, conduct online transactions, and secure your personal information, and for risk control,
fraud
detection
and prevention, and compliance with laws and regulations;

Protect Our Legal Rights and Prevent Misuse: To protect the Services, prevent unauthorized access
and
other
misuse, and where we believe necessary to investigate, prevent or take action regarding illegal
activities,
suspected fraud, situations involving potential threats to the safety of any person, or violations of
our
Terms of
Use or this Policy.

Comply with Legal Obligations: To comply with the law or legal proceedings such as when required to
disclose
information in response to lawful requests by public authorities, including responding to national
security
or law
enforcement disclosure requirements; and

General Business Operations: Where necessary to the administration of our general business,
accounting,
recordkeeping and legal functions.

Aggregated and Anonymized Information

We may also generate aggregated, pseudonymized and/or anonymized information about users for marketing,
advertising, research or similar purposes.

Purpose of Use

In the table below, we explain the purposes for which we use and process your personal information, as
well
as the
legal bases for such use and processing under the European Union’s General Data Protection Regulation
(“GDPR”) and
other applicable laws.

Purposes of Use (see above)

Legal Bases of Processing (where applicable)

Provide Our ServicesCustomer Service and Support

Necessary to enter into or perform a contract with you (upon your request, or as
necessary to make the Services available)

* For personal information from the EU, the processing is in our legitimate interests, which are not
overridden by
your interests and fundamental rights. Our legitimate interests include our interests in verifying
identify,
detecting and preventing fraud, protecting and improving our products and services, in support of our
general
business operations, and to comply with our legal obligations. We only send marketing communications to
EU
consumers who provide opt-in consent or who are covered by "soft opt-in" exemptions.

How We Disclose Personal Information We Collect

We do not sell your personal information to third-parties.

Affiliated Blackhawk Companies

We disclose personal information among our affiliated and subsidiary companies in furtherance of the
purposes set
out in this Policy; their processing of your personal information is subject to this Policy.

Service Providers

We disclose your personal information to certain companies that provide services to us and on our
behalf
and
subject to our written instructions, such as shipping payment, hosting, and other support services;
these
companies
may be located in the EU, the United States, and other jurisdictions.

Clients and Partners

Where we process personal information on behalf of our clients or partners, we process and share your
personal
information with that entity subject to its instructions. In such cases the client or partner is the
controller of
your personal information. This Policy does not apply to Blackhawk’s processing of your personal
information in its
capacity as the client or partner’s data processor and our use of your personal information is subject
to
their
instructions. Rather, where our client or partners process and use your personal information as
controllers, their
own privacy policy applies.

Referral Partners

We offer referral-based commission systems through third-party partners so that publisher websites may
refer users
to our pages to make purchases. These partners will be identified when you sign up, and we will obtain
your
consent
in jurisdictions where this is required (and not other legal basis applies). Your personal information
collected in
such cases will be owned and controlled by both Blackhawk and the partner as independent data
controllers.
This
Policy governs only Blackhawk’s use of such data. The partner’s own privacy policy governs its use of
the
data.

Product Short Notices

Some products offered in conjunction with banks have unique data sharing agreements. Where relevant,
Blackhawk will
make available to you short privacy notices of each product’s sharing policies on its website.

Additional Disclosures

We may also disclose your personal information in the event of the situations below.

As permitted or required by law, such as to comply with a subpoena, or similar legal process;

When we believe in good faith that disclosure is necessary to respond to claims asserted against
us,
protect our
rights, protect your safety or the safety of others, investigate fraud, comply with legal process
(e.g., subpoenas
or warrants), or respond to a government request;

If Blackhawk is involved in a merger, acquisition, or sale of all or a portion of its assets, or in
the
event of
a bankruptcy or dissolution of our business, your personal information may be transferred to an
acquiring business
or third party, including in contemplation of or related to due diligence for such business
transactions, subject
to any applicable restrictions under applicable laws. You will be notified by email and/or by a
prominent notice on
our website of any change in ownership or uses of your personal information, as well as any choices
you
may have
regarding your personal information; and

To any other third party with your prior consent.

Aggregate and Anonymized Information

We may share aggregate and anonymized information about users with certain third parties, including for
marketing,
advertising, research or similar purposes.

Cookies and Online Tracking

We and our third-party service providers collect information automatically through cookies, beacons,
pixels,
tags,
scripts, and HTML5, as well as log files. We, or our service providers, may combine this information with
other
information, including personal information we collect about you, to record your preferences, gather
information
about the use of our Services, identify when our emails are viewed, personalize content and ads and track
information about the performance of our advertisements.

Cookies. These are small files with a unique identifier that are transferred to your browser through
our
websites.
These technologies allow us to collect information such as browser type, time spent on our Sites, pages
visited,
language preferences, and your relationship with us. We can use this information to analyze trends,
administer
the
website, track users’ movements around the website, measure the effectiveness of our communications, tailor
our
advertising to you, and gather demographic information about our user base as a whole. These technologies
may
provide us with information about devices and networks you utilize to access our Services, and other
information
regarding your interactions with our Services. For detailed information about the cookies used in the
Services
and
how you can manage your cookie preferences or reject cookies altogether, please read and review
our Cookie Policy.

Pixels, Web Beacons, Clear GIFs. These are tiny graphics with a unique identifier, similar in
function
to cookies
that we use to track the online movements of users of our web pages and our Ad Services, and to personalize
content, and to identify when our emails are viewed or forwarded.

Our third-party partners use Local Shared Objects, such as Flash cookies, to embed features on our sites.
To
manage
Flash cookies, please click here.

"Do Not Track" Preferences

Our Site does not recognize do-not-track signals, however, we do not track your online activities
across
different
Sites, and we only track your activity within a Site to the extent you log into your account.
Therefore,
our
practices remain the same whether or not you enable the "Do Not Track" feature. For more information
about
do-not-track signals, please click here or
see
in our Cookie Policy.

Third-Party Analytics

We also use automated devices and applications, such as Google Analytics (more info
here) to evaluate
use of our Services. We use these tools to gather non-personal information about users to help us improve
our
Services and user experiences. These analytics providers may use cookies and other technologies to perform
their
services on our behalf.
See our Cookie Policy
for more information about our use of analytics tools.

Marketing and Targeted Advertising

We partner with third-party ad networks and third-party ad companies to manage our advertising on other
sites.
Our
third-party partner use technologies such as cookies to gather information about your activities on this
website
and other sites in order to provide you personalized advertising based upon your browsing activities and
interests.
Please see the “Cookies and Online Tracking” section above or our
Cookie
Policy
for more information.

Marketing and Newsletters

If you subscribe to our newsletters, we will use your name and email address to send them to you. You
may
choose to
stop receiving our newsletter or marketing emails at any time by following the unsubscribe instructions
included in
these emails or accessing the email preferences in your account.

Custom Audiences

Subject to local law restrictions, we may disclose certain information (such as your email address)
with
third
parties – such as Facebook (more info on Facebook Custom Audience here) so that we can better target ads and
content to our users, and others with similar interests on these third parties’ platforms or networks
(“Custom
Audiences”). We may also work with third-party ad networks and marketing platforms that enable us and
other
participants to target ads to Custom Audiences submitted by us and others. If you would like to opt-out
of
being
included in our Custom Audiences going forward, email us at privacy@bhnetwork.com
and we will opt you out of our
future Custom Audiences.

Opting Out of Ad Networks

How to opt out

If you wish to not have this cross-site information used for the purpose of serving you targeted ads,
you
may
opt-out of many ad networks by clicking here
(or if located in the European Union, click here).
You will continue
to receive ads on the sites you visit, but the ad networks from which you have opted out will no longer
target ads
to you based upon your activities on other sites. Please note, however, that these opt-out mechanisms
are
cookie
based; so, if you delete cookies, block cookies or use another device, your opt-out will no longer be
effective.
For more information, go to www.aboutads.info.

For more information, and to opt out of interest based ads from many ad networks, see our
Cookie
Policy
. Note, if
you delete cookies or change devices, your opt-out may no longer be effective.

Social Media Widgets

Our Sites include social media features, such as the Facebook "Like" button, either hosted by a third-party
or
hosted directly on our website (“Widgets”). Please refer to the privacy policies of the relevant
third-party
websites or services to find out more about the collection, use, and disclosure of your information through
such
features. We will comply with any legal obligations placed on the use of these technologies by certain
jurisdictions, which may affect how these Widgets function.

Security

The security of your personal information is important to us. We have implemented safeguards designed to
protect
the personal information submitted to us. Please note that no data transmission over the Internet cannot be
guaranteed to be 100% secure. As a result, we cannot guarantee or warrant the security of any personal
information
that we process.

Retention

We will retain your information for as long as your account is active or as needed to provide you services
and
up
to a period of no longer than seven (7) years, unless the period is required to be different under
applicable
law.
To the extent permitted by applicable law, we may also further retain and use your personal information
only as
necessary to comply with our legal obligations, resolve disputes, maintain appropriate business records,
and
enforce our agreements.

Image Submissions and Public Directories

Some of our websites offer you the ability to upload your own image to be used to create a personalized
product.
You may have the option to make these images available in publicly-accessible directories. You should be
aware
that
any information you provide in these areas may be read, collected and used by others who access them. You
may
request removal of your personal information at any time.

Your Rights

Certain countries and regions, including the European Union, have enacted laws that provide for privacy
rights
for
individuals located in the EU. Regardless of your location and jurisdiction, Blackhawk may at its sole
discretion
choose to extend these rights to all individuals, and to comply with requests as detailed below. We do not
charge
for these services but in certain cases we may require further proof of your identity or ask you to clarify
the
scope and nature of your request if it is unclear. Where you are entitled to a right, we will respond to
your
request within the timeframe set out by law, or where we provide answers on a voluntary basis within a
reasonable
timeframe.

Please note that we only respond directly to you in cases where we are the controller of your personal
information.
Where we are acting as a data processor on behalf of a client or partner, we will forward your request to
the
client or partner who is the data controller of your personal information.

Access, Rectification, Portability and Deletion

You have the right to access, rectify (correct), or delete your personal information held by us or may
ask
for a
restriction of processing. You may also have the right to ask for an overview or copy of your personal
information
or to request that certain of your personal information be exported to you or to another provider where
technically
feasible (data portability). On some of our Sites, you may access, rectify, or delete your personal
information by
making the change directly on your account page. You may also make these requests by sending an email
to
privacy@bhnetwork.com or by sending your request by postal
mail
to the address below.

Please note that there are some limitations to these rights. For example, we will not be able to delete
your
personal information if we are required by law to keep it or if we hold it in connection with a
contract
with you.
Similarly, access to your personal information may be refused if making the information available would
reveal
personal information about another person or if we are legally prevented from disclosing such
information.
If we
cannot fulfill your request, we will inform you about why we cannot comply with your request.

Withdrawal of Consent

Where we process your personal information based on your consent, you have the right to withdraw your
consent at
any time without affecting the lawfulness of processing based on consent before its withdrawal.

Object to Processing

You have the right to object to processing (including profiling) based on legitimate interest
grounds,
where we are
relying upon legitimate interests to process personal information. If you object, we must stop that
processing
unless we can demonstrate compelling legitimate grounds for the processing that override your
interests, rights and
freedoms, or we need to process the personal information for the establishment, exercise or defense
of
legal
claims. Where we rely upon legitimate interest as a basis for processing, we believe that we can
demonstrate such
compelling legitimate grounds, but we will consider each case on an individual basis.

Object to Marketing

You have the right to object to our use of your personal information (including profiling) for
direct
marketing
purposes, such as when we use your personal information to invite you to our promotional events.

Right to Lodge a Complaint

You have the right to lodge a complaint with your supervisory authority, if you consider that the
processing of
your personal information infringes applicable law.

To exercise your rights email privacy@bhnetwork.com (or
contact
us as indicated in the ‘Contact Us’ section below).
Please keep in mind that certain services will not be available if you withdraw your consent, or
otherwise
delete
or object to our processing of certain personal information. We will respond to your request in
accordance
with
applicable law, and we will inform you if we do not intend to comply with your request.

Protecting Children’s Privacy Online

Our Sites are not directed to children and we do not knowingly collect personal information from children
under
the
age of sixteen (16), and we request that such individuals do not provide personal information through our
Sites.

International Transfer

The personal information we collect from you may be transferred to, stored at or processed in other
countries,
including the United States or outside the European Economic Area, which may not provide equivalent levels
of
data
protection to your home jurisdiction.

We will take steps to ensure that your personal information receives an adequate level of protection in the
jurisdictions in which we process it, including through appropriate written data processing terms and/or
data
transfer agreements. For transfers from the EU, United Kingdom (“UK”) or Switzerland to the U.S., Blackhawk
Network
relies on its Privacy Shield certification (see below). Safeguards may also include adequacy decisions by
the
EU
Commission or putting in place standard contractual clauses as approved by the European Commission (the
form
for
the standard contractual clauses can be found here: EU Commission Standard Contractual Clauses) or another
applicable supervisory body.

Privacy Shield Certification

The Blackhawk Network, Inc. and the subsidiary companies listed below comply with the EU-U.S. Privacy Shield
Framework and the Swiss-U.S. Privacy Shield Framework (“Privacy Shield”) as set forth by the U.S. Department of
Commerce regarding the collection, use, and retention of personal information transferred from the European
Union, the United Kingdom (“UK”) and/or Switzerland to the United States in reliance on Privacy Shield:

Achievers LLC

Blackhawk Engagement Solutions (DE), Inc.

Blackhawk Engagement Solutions (MD), Inc.

Blackhawk Engagement Solutions, Inc.

Blackhawk Issued Content, LLC

Blackhawk Network (Overseas Territories), LLC

Blackhawk Network California, Inc.

Blackhawk Network Holdings, Inc.

Blackhawk Network, Inc.

CardLab (TX), Inc.

CardLab, Inc.

CashStar Inc.

GiftCardLab, Inc.

GiftCards.com, LLC

Global Incentive Solutions, LLC

IMShopping, Inc.

Incentec Solutions, Inc.

Main Street Solutions US Inc.

Measureprepaid, LLC

OmniCard, LLC

Blackhawk Network has certified to the Department of Commerce that the above companies adhere to the Privacy
Shield Principles with respect to such information. If there is any conflict between the terms in this Policy
and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy
Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

Blackhawk is responsible for the processing of Personal Information it receives, under the Privacy Shield
Framework, and subsequently transfers to a third-party acting as an agent on its behalf. Blackhawk complies with
the Privacy Shield Principles for all onward transfers of personal information from the EU, Switzerland and/or
the UK, including the onward transfer liability provisions.

With respect to Personal Information received or transferred pursuant to the Privacy Shield Framework, Blackhawk
is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations,
Blackhawk may be required to disclose Personal Information in response to lawful requests by public authorities,
including to meet national security or law enforcement requirements.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact
our U.S.-based third-party dispute resolution provider (free of charge) at
https://feedback-form.truste.com/watchdog/request. We are committed to cooperating in
the resolution of disputes
with individuals through this process.

Updates to This Policy

This Policy may be subject to change. Please review it from time to time. If we make material changes to
this
Policy about how we process your personal information, we will post those changes on this page and revise
the
"Last
Updated" date at the top and we will notify you by email or prominent notice on this Site prior to the
change
becoming effective. Where required by law, we will obtain your consent or give you the opportunity to opt
out
of
such changes. Any changes will become effective when we post the revised Policy.

Contact Information

If you have any questions or concerns regarding the way in which your personal information is being
processed,
please reach out to us using the contact information below:

EU Inquiries

You may contact Blackhawk Network, Inc. at the address or email above or the appropriate Blackhawk EU
Data
Protection Officer listed below, and we will work to properly respond to your inquiry or request.

If you have any further queries or complaints that we are not able to answer, you should contact the
Data
Privacy
Supervisory Authority for the country in which you reside. A list of National Data Protection
Authorities
in the
European Economic Area can be found here.